Mollom 6.x-2.x versions from 6.x-2.7 to 6.x-2.10 and Mollom 7.x-2.x versions from 7.x-2.9 to 7.x-2.10ĭrupal 6.x users should upgrade their Mollom module to 6.x-2.11 Drupal 7.x to Mollom 7.x-2.11. “When reporting content, the content title is not sufficiently sanitized to prevent cross-site scripting attacks,” the advisory said. “It’s a smarter way to put a Captcha in front of the user,” Knaddison said.Ī Drupal advisory said the vulnerability is mitigated by the fact an attacker must have a role with permission assigned to create content and the content type must be enabled to “Flag as Inappropriate.” The module will either mark it as spam and block it, let it go, or if unsure, present the user with a Captcha. Knaddison said the module analyzes content that is submitted as spam, for example, comparing the content and IP address of the submitter to known spam sites and trends. Also, after Drupal 8 and the adoption of continuous innovation, minor releases are more frequent. Patches / Drupal security updates are immediately released as soon as they find one. Mollom, meanwhile, is marketed as an intelligent content moderation service. Keep Calm and Stay Updated Drupal Security Updates The Drupal security team is always on its toes looking out for vulnerabilities. He said he’s seen no spike in attacks against Drupal sites recently, in particular those running the Mollom module. He said Drupal tracks reports of attacks against websites built on the CMS, in particular the modules targeted. Knaddison said that it’s unlikely this issue has been exploited in the wild. “Drupal is in use on about one million sites, so 60,000 may be relatively small, but having the ability to get admin control on sites, 60,000 seems like a lot.” “Mollom is installed on at least 60,000 sites, and while some of those may be developer sites, that seems like a big number to me,” Knaddison said. A Bugcrowd participant with success in finding Drupal bugs looked for bugs in a number of modules including Mollom and found this particular issue, which was rated moderately critical by Drupal. Knaddison said the vulnerability was identified through the bug bounty program which is managed through Bugcrowd. Successfully exploiting the vulnerability would give an attacker admin-level access to sites and enable him to hijack sessions or steal data. “If an attacker is able to create content on a site configured to use that feature, he would be able to execute a cross-site scripting attack inside the admin’s browser.” The vulnerability is in some of that code,” Knaddison said. An admin would review the content and mark it as spam, for example. “People can use the module to report content as inappropriate. The vulnerable feature is not enabled by default, Knaddison said, and depending on how it’s configured, would require legitimate credentials in order to access it. The vulnerability was in a feature of the Mollom module that is installed on at least 60,000 sites, said Drupal security team volunteer Greg Knaddison, director of engineering at, a provider of prepaid Visa and MasterCard credit cards. ![]() Drupal today released an update that patches a cross-site scripting vulnerability in a popular spam and content moderation module used by websites built on the open source CMS.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |